Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
28-11-2024 17:03
General
-
Target
ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
-
Size
4.9MB
-
MD5
364f9aa7879d48ffeb12ca794d1a1fb6
-
SHA1
7c5e4c6237881d714d43a95cfe69a4d15d8ff641
-
SHA256
ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7
-
SHA512
a6175b2facffdc57a98e77791cff47cf3b4ffba13e0ae433052bb70bdf94948a2724d0ba7e993094bb63f248dae9f78b8f615b7676299442b37aee61efc5492d
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8O:O
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 30 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 9 IoCs
-
Checks whether UAC is enabled 1 TTPs 20 IoCs
-
Drops file in Program Files directory 28 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe"C:\Users\Admin\AppData\Local\Temp\ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\All Users\Templates\OSPPSVC.exe"C:\Users\All Users\Templates\OSPPSVC.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75a7b480-66aa-4b64-80ea-8e3ab99db3b8.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\All Users\Templates\OSPPSVC.exe"C:\Users\All Users\Templates\OSPPSVC.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43070c72-6c25-469a-bc90-09ab475bdd0e.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\All Users\Templates\OSPPSVC.exe"C:\Users\All Users\Templates\OSPPSVC.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1a65e73-c420-43f1-951b-a60b1dc7b382.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\All Users\Templates\OSPPSVC.exe"C:\Users\All Users\Templates\OSPPSVC.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38c064f5-9882-42d6-a482-f2b6bbd0782e.vbs"9⤵
-
C:\Users\All Users\Templates\OSPPSVC.exe"C:\Users\All Users\Templates\OSPPSVC.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57b5cce3-4e4f-4763-99c9-ed49d27b5c7a.vbs"11⤵
-
C:\Users\All Users\Templates\OSPPSVC.exe"C:\Users\All Users\Templates\OSPPSVC.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0db5a766-1d99-4e50-ba8a-4579c65f7dcf.vbs"13⤵
-
C:\Users\All Users\Templates\OSPPSVC.exe"C:\Users\All Users\Templates\OSPPSVC.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a72e590e-e3bd-4efb-9a45-ed1955942fa1.vbs"15⤵
-
C:\Users\All Users\Templates\OSPPSVC.exe"C:\Users\All Users\Templates\OSPPSVC.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b56aab5-5030-4178-af74-0c45061a9a6a.vbs"17⤵
-
C:\Users\All Users\Templates\OSPPSVC.exe"C:\Users\All Users\Templates\OSPPSVC.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ae1f6f7-5c56-4b80-81a8-3635286559ea.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81e56774-d8f7-4992-8cc8-e13d42a98b56.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19021d8d-a51f-4326-966f-4b5fddaf2145.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62396df3-c436-4aaa-af24-94af45f19e63.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a43e941-bc04-451e-8085-bac6938e53fa.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ce1ff65-6e26-49d7-a368-57a1b3e5d0e8.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbd0afb0-5514-4261-b5b4-b5d1766b2aae.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcd9f224-818f-4abb-b56e-14baf41f84a8.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Templates\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\es-ES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\es-ES\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\es-ES\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\Sample Music\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7e" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7e" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default\My Documents\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\My Documents\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\My Documents\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5364f9aa7879d48ffeb12ca794d1a1fb6
SHA17c5e4c6237881d714d43a95cfe69a4d15d8ff641
SHA256ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7
SHA512a6175b2facffdc57a98e77791cff47cf3b4ffba13e0ae433052bb70bdf94948a2724d0ba7e993094bb63f248dae9f78b8f615b7676299442b37aee61efc5492d
-
Filesize
4.9MB
MD55857590e0c06900b5833765656acd269
SHA1381b8ec511502891e051a50dd25031fe909f87f5
SHA2564f4f1a460befd585fd8348e470ee1d22cb78d19194edeacdcd41499161f470bc
SHA512e7a6b973a984986f088551042d72462a204e66bac326c6c15530abc3e813aab0e2c508a1e4cb78328e8f12c0f6e682a5586738eb1b87cf6863f94e4a293fa9e3
-
Filesize
4.9MB
MD5794017c94fea1b2276ac8581c82de553
SHA1a55914e509b5889e39ac8b10fece1bc7257759d2
SHA256f468d28396865df3c0d6286d75dd740d6bdead04d3ab3f0e39784fcbbc2f920b
SHA512bf959ec79e6892c8ac8b9aed16c76ebe2d2d098a540bb98064cd69354d59518fb553257925ac9823714fb93f5a8b14fda6c5e74222a55746933e8690478e5459
-
Filesize
716B
MD5cfa743b1c8c112513fe15db079ee59da
SHA1c82c413e4b7f38a68d3259b4d641c84e3d3dcde0
SHA256c35df546edfc5c77b668aca5e99fbacdeaf62160c36d95feca2509232f129c4b
SHA51273c355c65f817dc7f31fe3b7dce165f0bdb2d6e0d713345bbf4c6629d9556cdb3aa73d7a8c6b3a4bd02cdffca30effe8885148d1fb7dac26ab96c7854a6393ea
-
Filesize
716B
MD5a346a1d7cdc048fd821583edf4a7f9ff
SHA181f86b4fe127372a71c864441ed1d8a0ade59cc6
SHA256a0ea7e0df2d2d5311427e2c8ea82bc7f7ecc9f6bf093ae868f1d73b8409aa538
SHA512e898a1d3f296fc105f0a872bee30f7ed31c1c0bbebb942d29bdbb5d8329a0d03ad90dd4f773017cd6daa61e5d908a7675872432b691d714c873eafc7fe015521
-
Filesize
716B
MD501a7ea59a523662cb92d81d25e1d9561
SHA1dd2c571fdfc539c9582453662320a9445aed157a
SHA2565be2e1a587d8290a1a2367b290dc755fcc53c9a81c4a1ea39a3ba12464ff3819
SHA512f3c79305e2e25bf1fdba09cde547e5f3c09c72ddb9671df25330fe13f4583c381d0971d6d7470205ef78bed1e0e582c1e83606a5c21a46c9f78f03cc83882b9d
-
Filesize
716B
MD55e20c9f552778d06b543edddc6975167
SHA19d8c590813e87b56ce095198515d5c9f73918c52
SHA2562698db8795a952d4125704d9de4144e70efd08c0ba746e59a95d85dee20fbf62
SHA5120d62dcefdc3014e4cd4812169b457242f1210e23cb7564fc1152b4fc41032ed24ee2fcdd766014580ce0e9c096046f99ffb3ee2d4a315625a9c6f0712fa3e210
-
Filesize
716B
MD5ad2b562c474f0b84717801863bc2e5c4
SHA1ebdb9c1a77c050dd9e99ac9d206220a88b0117d7
SHA256002ac62bc40deb47aa22ac3f080348d795641369db012b6df476a2958fcd80f8
SHA51208b6006d165b9545e2b081c9db98b71aa7626ac4daebbb0c909e574daa4846ed7d0c852f2345b2d50881396683d176dc73a2485b2f369bf584d00f8dff19c9f7
-
Filesize
716B
MD599ebc643cf77028be155d369a92c8d3c
SHA1ebd38bbbcdacfaeed6dc6489c4eb5135a34d4c24
SHA2564ec8add76bc176c0f05cdb4c3bcdcc9fda26c0c97ad1e125e2059a350118faba
SHA51293841dd6fb4b5532f9d8e2dfd45998db07dbb109bd97645431d37adac0e74ea0c56351aac006847311cb12b7a1f9e00864904bc0c5f3bfee13d3fc5021ae29ac
-
Filesize
716B
MD5c4de8cc98198ab2f361617c5c30a2cba
SHA14d6b6033edbc9334db83386d303bfe18d06c4228
SHA256d677178d565e77de4bc1a59136adf5b46efb617265e863a2dd405f8401bf2d69
SHA512dccb58585861f3ae6393561450730dedf134c4ff8252b11156587e2863c4e075310c9d891f0dcc76cb4c050b32d0945d64cbc44fdc9d77a730b26166216d3b21
-
Filesize
716B
MD5e24980f42073b91b2588065c9700639d
SHA15f0f05b464646ed14496e42c31a7a63835cc139f
SHA2564948b9bbf6acf1fc4095c285e322a8c1cb7c031dea270f61318577abb03ec574
SHA51220c689d225059f3afb5b7f1d22b00a93c0bc1f97c16fa4c6f1a0835999c92c9da1cdf8865b526c0cf9130fd79b3f678bf38a6f37130257896dcda9fde0712c43
-
Filesize
492B
MD5d369a9d708054485d4ae3461e5fe895f
SHA1feff403761961c8a5ab839a07a0afa49e0122a85
SHA2564696aa9a03605c2822148694babfe08e872d999da1a0fe1543c988a589cd5884
SHA512b19377571e80d509ff98688a0b341696696731bcd32b858e81aa2120970e27bbf5c94739a3016abbbf3f5fba32ae154e16d379fc2a39edff913fdcaae9fbfc75
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
7KB
MD577468789967416a49a9b8c2ac8f3c26a
SHA19f35a239717944a490dc6902824c56caa0804225
SHA256d421175a19b957a45808c1ad97443fc48272eab726934e57677720b990bb5650
SHA5126851e9785735e578051a0cc917e431d408d5f1d0a3b5a4d533a5e2a8912bba3854ffc9fef288133c2010c75d52c875536c4b6216d5145206d88e9bc3dbddc01b
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
5.0MB
-
Filesize
56KB
-
Filesize
1.2MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
2.9MB
-
Filesize
5.0MB
-
Filesize
32KB
-
Filesize
5.0MB